Compartilhar via


Cloud Computing: Legal and Policy challenges

Last month I had the opportunity to talk about cloud computing at an Australian National University CEPS Seminar. It’s a timely and important topic, as the computing experience is undergoing a powerful transformation. Increasingly consumers and businesses alike are harnessing computing power in the cloud. We’re running applications and storing documents on powerful servers located in massive data centers around the world. We’re using more powerful client devices. And we’re creating, accessing, and sharing more of our personal information more frequently and with more people than ever before.

The rapid growth of cloud computing offers tremendous potential for new innovations, efficiencies, and cost savings for governments, businesses, and individuals alike. These benefits have the potential to transform businesses; provide new innovations to consumers; and improve important services, such as healthcare and government-provided services. While the benefits of this transformation are immense, we also need to overcome new obstacles and address emerging challenges as well. We can’t take the benefits of technology for granted. We can’t afford to close our eyes to the obstacles we need to overcome. We need to build confidence in the cloud. And that requires a new conversation about the opportunity – and need – for industry and government each to take steps to move forward.

I was pleased to have the chance at Australian National University to add our voice to this important conversation. I talked about several issues relating to the security and privacy of information in the cloud that I’d like to amplify here.

Protecting the Privacy of Cloud Participants

Protecting users’ privacy interests is essential to promoting user trust and engagement—regardless of whether data is stored in the “cloud” or “on premises.” That said, the cloud will shift the location of all forms of data, including personal and confidential data, from on premises—where it receives stronger legal privacy protection in some countries—to third parties—where it may receive less legal protection from access by other third parties, including law enforcement. The cloud also raises core privacy issues, such as who else has access to the data and how it will be used.

To address these issues, it’s vital that Industry be transparent about their practices and give individual and business users more control over the data they create. Government has an important role to play as well, including by updating – and unifying – privacy rules that protect individual, commercial, and government information in the cloud. It’s unclear whether the existing legal framework protects digital data stored in the cloud to the same extent as physical data stored in a home or office. Therefore, laws and regulations governing the privacy of electronic communications may need to be updated and aligned with current technological realities.

Securing Data Stored in the Cloud and Promoting Transparent Security Practices

The world needs a safe and open cloud – a cloud that is protected from the efforts of thieves and hackers and also that serves as an open source of information to all people around the world. The aggregation of massive amounts of data in large datacenters creates a new and tempting target for criminals to attack physically and in cyberspace. A single point of failure can magnify security risks.

From an industry standpoint, cloud service providers should adopt comprehensive security practices and procedures to secure the consumer, business, and government data they store in the cloud. All providers claim that their systems are secure, but few back up these claims with the specifics that enable users to evaluate these claims or to meaningfully compare vendors’ security practices. There are certain fundamental elementsprinciples of “truth in cloud computing” —that would enable users (including individuals, businesses and governments) to make such informed decisions.

Government can assist by requiring the right level of transparency and accountability on the part of industry. For example, because adoption of cloud computing services depends on appropriate security for the data of individuals and businesses, government could enact legislation that requires cloud computing service providers to adopt a comprehensive information security program and disclose a summary of this program to its customers. Of course, policymakers should also make it easier for law enforcement and cloud providers to combat unauthorised access to cloud data. Alignment to the Council of Europe Cybercrime Convention is an international best practice, and the Rudd Government should be applauded for its recent decision to ratify that instrument. Governments should also provide law enforcement with the funding it needs to pursue cybercriminals. There is greater need than ever for enhanced law enforcement training, the development of expert forensic analysis related to computer crimes, and resources to combat cybercrime.

The Need to Avoid Conflicting Rules on Privacy and Data Security

National governments are imposing conflicting legal obligations and asserting competing jurisdictional claims over user data and content held by cloud service providers. This places data and content at risk to demands from multiple governments for access, often pursuant to different standards and processes, including protections for the individuals whose data is at issue. And it places service providers in a Catch-22 situation, having to decide between conflicting legal obligations. Ultimately, the thicket of competing and conflicting national laws threatens to impede technological innovation and undermine consumer confidence in the privacy and security of data stored in the cloud.

Industry and government should work together to achieve global consensus on rules that will protect the privacy and security of data from both individual and commercial users while also ensuring legitimate law enforcement needs are addressed and businesses do not face conflicting legal requirements. There’s no easy solution for this challenge, and indeed the answer likely lies in a multi-faceted approach. First, there may be a need to update existing multilateral frameworks at the global level (or develop new ones). Second, there are opportunities for new agreements at the regional level – perhaps through existing for a such as APEC. Third, the Australian government should continue striving to address these thorny jurisdictional issues through bilateral agreements and arrangements.

Whatever combination of vehicles is employed, it’s critical that the discussion on potential solutions include stakeholders representing government, industry, the academic community, and consumers.

Jeff Bullwinkel, General Counsel, Microsoft Australia

Technorati Tags: cloud computing,government,privacy,security